Martin Panter <> added the comment:

Hi Yao, I tend to agree with Ned. The support for “file:” URLs is by design. I 
don’t see any security problems. I suggest to close this.

In Issue 11662, it was decided that a web server redirecting to a “file:” URL 
was a security problem. This is because the mechanism that follows the redirect 
is automatic, and the target of the redirect is under the control of the remote 
server, not the local user or program. But other parts of the Python library 
still support “file:” URLs without causing any problems. Those URLs are under 
control of the caller, like in your “” file.

The /etc/passwd file may be readable by ordinary users. But /etc/shadow may 
require special permission to read, because it holds password hashes. Or it may 
not exist under that name, depending on the OS. If a web application calls 
“urllib.request.urlopen”, I think it is up to the application to validate the 
URL it passes. It may want to deny or limit access to specific directories, URL 
schemes, host names, etc. It is not up to Python to make those decisions.

When I tried your “” demonstration, it made Firefox offer to 
“download” (i.e. copy) the “ls” executable file. I think this is normal 
behaviour, and does not indicate a security problem. A plausible use-case would 
be opening a local README.html file distributed with a program in a web browser.

nosy: +martin.panter
resolution:  -> not a bug
status: open -> pending

Python tracker <>
Python-bugs-list mailing list

Reply via email to